Just one more reason not to use myspace

It has been reported publicly that myspace usernames and passwords have been stolen by phishers:

The story of the take-down is here.

Roughly 35,000 myspace usernames and passwords were captured by the bad guys.  The reference to 700,000 in the first dslreports link is not accurate, because it did not take into account some massive duplication of data.

I am a member of a security list wherein this problem was reported, and I saw some of the data that the phishers were gathering before the site hosting the stolen information was taken down.  One thing that worries me is the easily guessed passwords that were being used by some of the victims.  A distinct lack of inspiration when inventing a password was evident on the part of some myspace users.

Roger A. Grimes has blogged about the stolen passwords on infoworld - interesting data crunching:

I personally recommend that users choose passphrases, not passwords - at least three words, with capitalisation and punctuation included - phrases such as "abc123", "qwerty", "password" and other inane examples should be strictly forbidden.  Passwords should also not contain a your name, or the name of the site you are logging in to, your address or date of birth, names of family members or anything else that somebody who knows you (or could find out about you) could guess.  Oh, and forget about things like "passw0rd".  Swapping a letter for a number is not going to protect you. Leetspeak may make you look hip 'n' cool, but it is not a security feature.

As noted in the second article, iPowerWeb were distinctly unhelpful in getting this problem resolved, taking six hours to take down the site - it makes me wonder what sort of legal liability could be laid on hosts such as iPowerWeb when they are alerted to a major phishing incident, are warned that they are hosting stolen data (or are warned that sites they host have been hacked and are infecting visitors), yet fail to mitigate the situation.  It is true that in the case of this particular iPowerWeb incident the data files containing the stolen information were deleted (we don't know by whom) before the compromised Web site that was used to store the stolen usernames and passwords was eventually taken down, but we have no way of knowing if the bad guys had the opportunity to retrieve any or all of the the information they had stolen.

Earlier articles about myspace problems include the following.  I have long since taken the step of blocking access to myspace on all networks for which I have responsibility - both home and corporate networks.

Fake login pages (28 October 2006):

Unencrypted logins (8 August 2006):

One million visitors infected via WMF exploit (21 July 2006):

Worm spreading through myspace:
http://msmvps.com/blogs/spywaresucks/archive/2006/07/18/105039.aspx linking to http://www.itnews.com.au/newsstory.aspx?CIaNID=34955

Published Sat, Nov 11 2006 6:51 by sandi


# Just one more reason not to use myspace of Myspace Html Codes Blog

PingBack from http://code.pimp-myspace-code.com/myspacecodes/myspace-news/just-one-more-reason-not-to-use-myspace

# Once again MySpace proves to be a danger to the Internet community

Saturday, December 02, 2006 1:43 AM by Spyware Sucks

Once again, the MySpace network is a danger to its visitors. WebSense Security Lab reports that it has:

# Once again MySpace proves to be a danger to the Internet community

Saturday, December 02, 2006 1:45 AM by Spyware Sucks

Once again, the MySpace network is a danger to its visitors. WebSense Security Lab reports that it has:

# re: Just one more reason not to use myspace

Wednesday, December 27, 2006 12:32 PM by Kevin Pina

I opened a new account earlier this year but never had the time to use it. Today i received a request from someone wanting to join "my friends." Out of curiosity I went back through my emails and retrieved the original account information and password initially forwarded to me after opening the account. Lo and behold the password worked and there before my eyes was a page containing pornographic photos and videos and material i personally would never want to be associated with. It was still under my name with my current email address.

I have been a journalist and documentary filmmaker for over 20 years and have been the target of malicious personal attacks because of my political stance in questioning US foreign policy. Anyone who saw this MySpace page in my name would have associated it with my person and reputation which I find frightening. Again, access to this page was only possible by using the original password that was sent directly from MYSpace.com.

Needless to say, I immediately deleted the account after creating a .pdf of the contents to forward to my attorney.

The interesting thing was that the first friend on the account was a photo of a man named Tom. I have since learned he is Mr. MySpace himself.

Beware of MySpace, their role and intention is less than transparent and clear to me.


Kevin Pina